An Authorization Bypass vulnerability in Nagios Incident Manager (component of Nagios XI) before 2.2.7 allows authenticated users to bypass the authentication checks via a void token.
“Resolve network incidents, collaborate with team members, and track incident history”. For more information visit https://www.nagios.com/products/nagios-incident-manager/.
The Nagios XI API /nagiosxi/includes/components/nagiosim/nagiosim.php
allows interaction with Nagios IM through the file nagiosxi/basedir/html/includes/components/nagiosim/nagiosim.php
:
|
|
At [1] the token is read from the HTTP request, at [2] the registered API key is read from the database and at [3] they are checked to be equal. However this doesn’t take in account that by default there’s no api_key
registered so it’s possible to pass the check via a void token.
An authenticated attacker can update arbitrary network incidents without the proper authorization.
[host]/nagiosxi/includes/components/nagiosim/nagiosim.php?mode=update&token=&incident_id=1337
using the logged-in sessionincident_id
is invalid, but authorization was valid.An authenticated attacker can bypass the authorization checks and perform arbitrary actions on any network incident.
Upgrade to Nagios IM 2.2.7 or later. (Note: we didn’t verify the patch.)
This report was subject to Shielder’s disclosure policy:
`polict` of Shielder
This advisory was first published on https://www.shielder.com/advisories/nagiosim-void-token-authorization-bypass/
Date
10 April 2019